Apple’s policy to repeatedly ask users for their iTunes password needlessly exposes iOS device owners to possible phishing attacks, according a mobile app developer Felix Krause.
Krause’s beef with Apple is that too often and seemingly at random times, popups deliver a dialogue box for users to enter their Apple ID. The prompts have become so routine that users enter the personal data without considering popups could be malicious, he said.
“As a result, users are trained to just enter their Apple ID password whenever iOS prompts you to do so. However, those popups are not only shown on the lock screen, and the spring board, but also inside random apps, e.g. when they want to access iCloud, GameCenter or In-App-Purchases,” wrote Krause on Apple’s Open Radar community bug report posted Monday.
His premise is that repeated password requests could be abused by a rogue app developer that utilizes the “UIAlertController” prompt that looks exactly like Apple’s system dialog popup that requests an Apple ID or password (see below).
“Even users who know a lot about technology, have a hard time detecting that those alerts are phishing attacks,” Krause said.
The app developer proposes several solutions. For example, when Apple requests an iTunes ID from the user it should require the user to open the iOS settings app to do so. Another solution includes requiring app dialog boxes to have a visual indicator alerting users the app is asking for the credentials and not the system.
Krause also gripes on his personal blog that Apple should “fix the root of the problem” and that “users shouldn’t constantly be asked for their credentials.”
“Initially I thought, faking those alerts requires the app developer to know your email. Turns out, some of those auth popups don’t include the email address, making it even easier for phishing apps to ask for the password,” he said.
Krause said he is unaware of any instances where this dialogue box has been abused.
If Apple doesn’t take any action, Krause suggests when users come across an iOS dialog box they should hit the Home button. If the box closes then it’s a phishing attack. “If the dialog and the app are still visible, then it’s a system dialog. The reason for that is that the system dialogs run on a different process, and not as part of any iOS app,” he wrote.
Another solution is to enable two factor authentication. But even then, he cautions: “Even with 2FA enabled accounts, what if the app asked you for your 2 step code? Most users would gladly request a 2FA-token and ask for it, and directly pipe it over to a remote server.”
He said users should be trained not to automatically enter their credentials in Apple dialog boxes in the same way they are trained not to follow links in emails.
“Showing a dialog that looks just like a system popup is super easy, there is no magic or secret code involved, it’s literally the examples provided in the Apple docs, with a custom text,” he wrote. “I decided not to open source the actual popup code, however, note that it’s less than 30 lines of code and every iOS engineer will be able to quickly build their own phishing code.”
